Enshrining the right to be forgotten is a further step towards allowing individuals to take control of their own data, or even monetise it themselves, as we proposed in the 2020 white paper (Scenarios for the Future of Cybercrime).
The way the law stands in the EU currently, we have legal definitions for a data controller, a data processor and a data subject, an oddity which lands each of us in the bizarre situation where we are subjects of our own data rather being able to assert any notion of ownership over it. With data ownership comes the right to grant or deny access to that data and to be responsible for its accuracy and integrity.
In response to today’s EU judgement, I have seen a lot of commentators immediately cry “censorship” and make all kinds of unsupportable comparisons with book-burning, these reactions are simply misguided and out of all proportion to the decision made.
The ruling is the right one. I suggest you read the judgement before making knee-jerk reactionary comments about censorship, libraries, signposts or whatever. The court recognises that information that was “legally published” remains so and that the individual has no right to censor it. However, they also recognise that search engines collect, retrieve, record, organise, store and disclose information on an ongoing basis and that this constitutes “processing” of data under the EU directive. Further, given that the search engine determines the means and purpose of their own data processing, they are also a “Data Controller” under that directive and again must fulfil the legal requirements of such an entity, any other court decision would weaken that whole directive beyond repair. The entirety of information turned up in response to a search on a person’s name, represents a whole new level of publishing and the discrete items of information would have been very difficult, if not impossible, to put together in the absence of a search engine.
Any other decision on this would have simply blown away the EU Data Protection directive and that is not something any us should be advocating.
Before personal data became a commodity mined by corporations and attackers alike, the need for a legal stance on the identity of the “owner” of data relating to oneself may have seemed laughable. However that has landed us in the situation of today when entities that mine and monetise that same data can refer to this very welcome EU ruling as “disappointing”. Commercially disappointing it may be, however it is a step, albeit a small one, in the right direction.